Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    No 'default' route in outgoing load balance

    Routing and Multi WAN
    4
    7
    3371
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      syntax last edited by

      I'm trying to setup a dual-WAN outgoing load balance on pfSense 1.0.1.  I've attempted to follow the instructions from the wiki, by doing the following:

      • Assigned and configured LAN, WAN, and OPT1 (WAN2).  On my WAN's, I have no issues pinging my gateways for each interface
      • Created a new 'gateway' pool under Services -> Load Balancer, listing each WAN's gateway in the IP list (eg: WAN2's IP is 61.17.126.74/24, so I added 61.17.126.1 to the IP list)
      • Changed the default LAN outgoing rule under Firewall -> Rules -> LAN from 'default' to 'wan_balance' (the name assigned to my pool in previous step)
      • From the command prompt on the pfSense box, I can not ping or connect to any host not explicitly listed in the routing table.  I can ping each WAN's gateway fine, but nothing past that.  My netstat -rn lists no 'default' gateway.  If i manually add a default gateway as one of my WAN's gateways, everything flows fine over that one connection.
      • If I reboot (to flush changes I manually made to the routing table via route), and try altering the LAN outgoing rule from 'wan_balance' to my OPT1 connection, no traffic will flow, as there is no default gateway rule present.

      I've reset the configuration and resetup from scratch several times with the same results.  Most of my configuration I've had to do by not having the main WAN plugged in (so to not completely disable my office during testing), but when doing this I've altered my load balance pool to only contain the OPT1 connection, and if I'm overriding the default outgoing rule to only concern the OPT1 interface (either directly or via the load balancer pool), I can't imagine that the lack of a WAN would make a difference.

      1 Reply Last reply Reply Quote 0
      • S
        syntax last edited by

        Here's my entire config XML incase that helps (in current form with only the OPT1 in the load balancer pool, as to not completely disable my office network when testing):

        
         <pfsense><version>2.3</version>
                <lastchange><theme>metallic</theme>
                <system><optimization>normal</optimization>
                        <hostname>pfSense</hostname>
                        <domain>example.com</domain>
                        <dnsallowoverride><username>admin</username>
                        <password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
                        <timezone>America/Chicago</timezone>
                        <time-update-interval>300</time-update-interval>
                        <timeservers>pool.ntp.org</timeservers>
                        <webgui><protocol>http</protocol>
                                <certificate><private-key></private-key></certificate></webgui> 
                        <disablenatreflection>yes</disablenatreflection>
                        <dnsserver>10.10.10.15</dnsserver>
                        <dnsserver><enablesshd>yes</enablesshd>
        
                        <maximumstates></maximumstates></dnsserver></dnsallowoverride></system> 
                <interfaces><lan><if>rl0</if>
                                <ipaddr>10.10.10.2</ipaddr>
                                <subnet>24</subnet>
                                <media><mediaopt><bandwidth>100</bandwidth>
                                <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> 
                        <wan><if>rl1</if>
                                <mtu><ipaddr>64.16.187</ipaddr>
                                <subnet>29</subnet>
                                <gateway>64.16.187.54</gateway>
                                <blockpriv>on</blockpriv>
                                <disableftpproxy><dhcphostname><media><mediaopt><bandwidth>100</bandwidth>
                                <bandwidthtype>Mb</bandwidthtype>
                                <spoofmac></spoofmac></mediaopt></media></dhcphostname></disableftpproxy></mtu></wan> 
                        <opt1><if>rl2</if>
                                <descr>WAN2Speakeasy</descr>
                                <bridge><enable><ipaddr>69.17.126.74</ipaddr>
                                <subnet>24</subnet>
                                <gateway>69.17.126.1</gateway>
                                <spoofmac></spoofmac></enable></bridge></opt1> 
                        <opt2><if>rl3</if>
                                <descr>OPT2</descr></opt2></interfaces> 
                <staticroutes><pppoe><username><password></password></username></pppoe> 
                <pptp><username><password><local></local></password></username></pptp> 
                <bigpond><username><password><authserver><authdomain><minheartbeatinterval></minheartbeatinterval></authdomain></authserver></password></username></bigpond> 
                <dyndns><type>dyndns</type>
                        <username><password></password></username></dyndns> 
                <dhcpd><lan><range><from>10.10.10.10</from>
                                        <to>10.10.10.245</to></range></lan></dhcpd> 
                <pptpd><mode><redir><localip></localip></redir></mode></pptpd> 
                <ovpn><dnsmasq><enable></enable></dnsmasq> 
                <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd> 
                <diag><ipv6nat></ipv6nat></diag> 
        
                <syslog><nat><ipsecpassthru><advancedoutbound><rule><source>
                                                <network>10.10.10.0/24</network>
        
                                        <sourceport><descr>Auto created rule for LAN</descr>
                                        <target><interface>wan</interface>
                                        <destination><any></any></destination> 
                                        <natport></natport></target></sourceport></rule> 
                                <rule><source>
                                                <network>10.10.10.0/24</network>
        
                                        <sourceport><descr>Auto created rule for LAN</descr>
                                        <target><interface>opt1</interface>
                                        <destination><any></any></destination> 
                                        <natport></natport></target></sourceport></rule> 
                                <enable></enable></advancedoutbound></ipsecpassthru></nat> 
                <filter><rule><type>pass</type>
                                <interface>opt1</interface>
                                <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                <os><protocol>tcp</protocol>
                                <source>
                                        <network>lan</network>
        
                                <destination><any></any></destination></os></statetimeout></max-src-states></max-src-nodes></rule> 
                        <rule><type>pass</type>
                                <interface>lan</interface>
                                <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
                                <os><source>
                                        <network>lan</network>
        
                                <destination><any></any></destination> 
                                <descr>Default LAN -> any</descr>
                                <gateway>wan_balance</gateway></os></statetimeout></max-src-states></max-src-nodes></rule></filter> 
                <ipsec><preferredoldsa></preferredoldsa></ipsec> 
                <aliases><proxyarp><wol><installedpackages><revision><description>/system_advanced.php made unknown change</description>
                        <time>1162530457</time></revision> 
                <load_balancer><lbpool><type>gateway</type>
                                <monitorip><name>wan_balance</name>
                                <desc>Balaner from LAN to Nuvox/Speakeasy</desc>
                                <port><servers>69.17.126.1|69.17.126.1</servers></port></monitorip></lbpool></load_balancer></installedpackages></wol></proxyarp></aliases></syslog></ovpn></staticroutes></lastchange></pfsense> 
        # 
        

        and my IPv4 netstat -rn

        
        Internet:
        Destination        Gateway            Flags    Refs      Use  Netif Expire
        10.10.10/24        link#1             UC          0        0    rl0
        10.10.10.15        00:12:3f:d2:d3:4a  UHLW        1       11    rl0   1197
        10.10.10.160       00:0a:95:af:82:7e  UHLW        1      333    rl0    933
        64.16.0.184/29     link#2             UC          0        0    rl1
        69.17.126/24       link#3             UC          0        0    rl2
        69.17.126.1        00:90:1a:41:04:37  UHLW        1      297    rl2   1172
        127.0.0.1          127.0.0.1          UH          0        0    lo0
        
        1 Reply Last reply Reply Quote 0
        • H
          hoba last edited by

          Loadbalancing has nothing to do with static routes or default gateways from the systems routingtable. Do you test from behind the pfSense? the ppfSense itself can't utilize loadbalancing/policybasedrouting. Only connections running through the pfSense can be balanced.

          1 Reply Last reply Reply Quote 0
          • B
            billm last edited by

            I don't quite follow what you did, but what the heck happened to your default route?!?!?!

            –Bill

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • S
              sullrich last edited by

              Just for the linux ppl, FreeBSD only has ONE default route (as of todays date) and we manipulate the routing table with PF.  Which also means the firewall itself is unaffected by this policy.

              Now back to your regular scheduled thread.

              1 Reply Last reply Reply Quote 0
              • S
                syntax last edited by

                @hoba:

                Loadbalancing has nothing to do with static routes or default gateways from the systems routingtable. Do you test from behind the pfSense? the ppfSense itself can't utilize loadbalancing/policybasedrouting. Only connections running through the pfSense can be balanced.

                I've tested from a computer using the pfSense box itself as well as straight from the pfSense console.  Are you saying, however, that pfSense itself will only use the WAN link (assuming that the default gateway is setup for it)?

                Also, how can I examine the rules that pf is using?  I haven't ran a BSD since OpenBSD 2.6, and in those days I just remember checking the pf.conf (or was it ipf back then?) to see the rules laid out in the flat file – and it seems pfSense doesn't load/save its rules via that file.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba last edited by

                  The file that gets loaded into pf is located at /tmp/rules.debug. You can view it either at diagnostics>edit file or by downloading it via  diagnostics>command.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post